[RFC 0/2] ima: evm: Add kernel cmdline options to disable IMA/EVM

Roberto Sassu roberto.sassu at huaweicloud.com
Thu Dec 19 15:40:32 UTC 2024


On Wed, 2024-12-18 at 17:07 +0000, Song Liu wrote:
> Hi Mimi, 
> 
> Thanks for your comments!
> 
> > On Dec 18, 2024, at 3:02 AM, Mimi Zohar <zohar at linux.ibm.com> wrote:
> > 
> > On Tue, 2024-12-17 at 13:29 -0800, Casey Schaufler wrote:
> > > On 12/17/2024 12:25 PM, Song Liu wrote:
> > > > While reading and testing LSM code, I found IMA/EVM consume per inode
> > > > storage even when they are not in use. Add options to diable them in
> > > > kernel command line. The logic and syntax is mostly borrowed from an
> > > > old serious [1].
> > > 
> > > Why not omit ima and evm from the lsm= parameter?
> > 
> > Casey, Paul, always enabling IMA & EVM as the last LSMs, if configured, were the
> > conditions for making IMA and EVM LSMs.  Up to that point, only when an inode
> > was in policy did it consume any memory (rbtree).  I'm pretty sure you remember
> > the rather heated discussion(s).
> 
> I didn't know about this history until today. I apologize if this 
> RFC/PATCH is moving to the direction against the original agreement. 
> I didn't mean to break any agreement. 
> 
> My motivation is actually the per inode memory consumption of IMA 
> and EVM. Once enabled, EVM appends a whole struct evm_iint_cache to 
> each inode via i_security. IMA is better on memory consumption, as 
> it only adds a pointer to i_security. 
> 
> It appears to me that a way to disable IMA and EVM at boot time can 
> be useful, especially for distro kernels. But I guess there are 
> reasons to not allow this (thus the earlier agreement). Could you 
> please share your thoughts on this?

Hi Song

IMA/EVM cannot be always disabled for two reasons: (1) for secure and
trusted boot, IMA is expected to enforce architecture-specific
policies; (2) accidentally disabling them will cause modified files to
be rejected when IMA/EVM are turned on again.

If the requirements above are met, we are fine on disabling IMA/EVM.

As for reserving space in the inode security blob, please refer to this
discussion, where we reached the agreement:

https://lore.kernel.org/linux-integrity/CAHC9VhTTKac1o=RnQadu2xqdeKH8C_F+Wh4sY=HkGbCArwc8JQ@mail.gmail.com/

Thanks

Roberto




More information about the Linux-security-module-archive mailing list